gittuf is a security layer for Git repositories. With gittuf, any developer who can pull from a Git repository can independently verify that the repository's security policies were followed. gittuf's policy, inspired by The Update Framework (TUF), handles key management for all trusted developers in a repository, allows for setting permissions for repository branches, tags, files, etc., protects against other attacks Git is vulnerable to, and more — all while being backwards compatible with forges such as GitHub and GitLab.
gittuf is a sandbox project at the Open Source Security Foundation (OpenSSF) as part of the Supply Chain Integrity Working Group.
gittuf is currently in alpha. gittuf's metadata may have breaking changes, meaning a repository's gittuf policy may have to be reinitialized from time to time. As such, gittuf is currently not intended to be the primary mechanism for enforcing a repository's security.
That said, we're actively seeking feedback from users. Take a look at the get started guide to learn how to install and try gittuf out! Additionally, contributions are welcome, please refer to the contributing guide, our roadmap, and the issue tracker for ways to get involved.
See the get started guide.